Reserve Dynamic IP NAT Addresses

Reserve Dynamic IP NAT Addresses

You can reserve Dynamic IP NAT addresses (for
a configurable period of time) to prevent them from being allocated
as translated addresses to a different source IP address that needs
translation. When configured, the reservation applies to all of
the translated Dynamic IP addresses in progress and any new translations.

For
both translations in progress and new translations, when a source
IP address is translated to an available translated IP address,
that pairing is retained even after all sessions related to that
specific source IP are expired. The reservation timer for each source
IP address begins after all sessions that use that source IP address
translation expire. Dynamic IP NAT is a one-to-one translation;
one source IP address translates to one translated IP address that
is chosen dynamically from those addresses available in the configured
pool. Therefore, a translated IP address that is reserved is not
available for any other source IP address until the reservation
expires because a new session has not started. The timer is reset
each time a new session for a source IP/translated IP mapping begins,
after a period when no sessions were active.

By default, no
addresses are reserved. You can reserve Dynamic IP NAT addresses
for the firewall or for a virtual system.

For
example, suppose there is a Dynamic IP NAT pool of 30 addresses
and there are 20 translations in progress when the nat reserve-time is
set to 28800 seconds (8 hours). Those 20 translations are now reserved,
so that when the last session (of any application) that uses each
source IP/translated IP mapping expires, the translated IP address
is reserved for only that source IP address for 8 hours, in case
that source IP address needs translation again. Additionally, as
the 10 remaining translated addresses are allocated, they each are
reserved for their source IP address, each with a timer that begins
when the last session for that source IP address expires.

In
this manner, each source IP address can be repeatedly translated
to its same NAT address from the pool; another host will not be
assigned a reserved translated IP address from the pool, even if
there are no active sessions for that translated address.

Suppose
a source IP/translated IP mapping has all of its sessions expire,
and the reservation timer of 8 hours begins. After a new session
for that translation begins, the timer stops, and the sessions continue
until they all end, at which point the reservation timer starts
again, reserving the translated address.

The reservation timer
remain in effect on the Dynamic IP NAT pool until you disable it
by entering the set setting nat reserve-ip no command
or you change the nat reserve-time to a different
value.

The CLI commands for reservations do not affect Dynamic
IP and Port (DIPP) or Static IP NAT pools.